<!DOCTYPE html>
<html lang="en-us">
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
    
<meta charset="UTF-8">
<title>Watching event data | Elasticsearch Guide [7.7] | Elastic</title>
<link rel="home" href="index.html" title="Elasticsearch Guide [7.7]">
<link rel="up" href="example-watches.html" title="Example watches">
<link rel="prev" href="watch-cluster-status.html" title="Watching the status of an Elasticsearch cluster">
<link rel="next" href="watcher-troubleshooting.html" title="Troubleshooting Watcher">
<meta name="DC.type" content="Learn/Docs/Elasticsearch/Reference/7.7">
<meta name="DC.subject" content="Elasticsearch">
<meta name="DC.identifier" content="7.7">
<meta name="robots" content="noindex,nofollow">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <script src="https://cdn.optimizely.com/js/18132920325.js"></script>
    <link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
    <link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
    <link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
    <link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
    <link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
    <link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
    <link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
    <link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
    <link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
    <link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
    <link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
    <link rel="manifest" href="/manifest.json">
    <meta name="apple-mobile-web-app-title" content="Elastic">
    <meta name="application-name" content="Elastic">
    <meta name="msapplication-TileColor" content="#ffffff">
    <meta name="msapplication-TileImage" content="/mstile-144x144.png">
    <meta name="theme-color" content="#ffffff">
    <meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd">
    <meta name="yandex-verification" content="d8a47e95d0972434">
    <meta name="localized" content="true">
    <meta name="st:robots" content="follow,index">
    <meta property="og:image" content="https://www.elastic.co/static/images/elastic-logo-200.png">
    <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
    <link rel="icon" href="/favicon.ico" type="image/x-icon">
    <link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
    <link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
    <link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
    <link rel="stylesheet" type="text/css" href="/guide/static/styles.css">
  </head>

  <!--© 2015-2021 Elasticsearch B.V. Copying, publishing and/or distributing without written permission is strictly prohibited.-->

  <body>
    <!-- Google Tag Manager -->
    <script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
    <!-- End Google Tag Manager -->

    <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());
      gtag('config', 'UA-12395217-16');
    </script>

    <!--BEGIN QUALTRICS WEBSITE FEEDBACK SNIPPET-->
    <script type="text/javascript">
      (function(){var g=function(e,h,f,g){
      this.get=function(a){for(var a=a+"=",c=document.cookie.split(";"),b=0,e=c.length;b<e;b++){for(var d=c[b];" "==d.charAt(0);)d=d.substring(1,d.length);if(0==d.indexOf(a))return d.substring(a.length,d.length)}return null};
      this.set=function(a,c){var b="",b=new Date;b.setTime(b.getTime()+6048E5);b="; expires="+b.toGMTString();document.cookie=a+"="+c+b+"; path=/; "};
      this.check=function(){var a=this.get(f);if(a)a=a.split(":");else if(100!=e)"v"==h&&(e=Math.random()>=e/100?0:100),a=[h,e,0],this.set(f,a.join(":"));else return!0;var c=a[1];if(100==c)return!0;switch(a[0]){case "v":return!1;case "r":return c=a[2]%Math.floor(100/c),a[2]++,this.set(f,a.join(":")),!c}return!0};
      this.go=function(){if(this.check()){var a=document.createElement("script");a.type="text/javascript";a.src=g;document.body&&document.body.appendChild(a)}};
      this.start=function(){var a=this;window.addEventListener?window.addEventListener("load",function(){a.go()},!1):window.attachEvent&&window.attachEvent("onload",function(){a.go()})}};
      try{(new g(100,"r","QSI_S_ZN_emkP0oSe9Qrn7kF","https://znemkp0ose9qrn7kf-elastic.siteintercept.qualtrics.com/WRSiteInterceptEngine/?Q_ZID=ZN_emkP0oSe9Qrn7kF")).start()}catch(i){}})();
    </script><div id="ZN_emkP0oSe9Qrn7kF"><!--DO NOT REMOVE-CONTENTS PLACED HERE--></div>
    <!--END WEBSITE FEEDBACK SNIPPET-->

    <div id="elastic-nav" style="display:none;"></div>
    <script src="https://www.elastic.co/elastic-nav.js"></script>

    <!-- Subnav -->
    <div>
      <div>
        <div class="tertiary-nav d-none d-md-block">
          <div class="container">
            <div class="p-t-b-15 d-flex justify-content-between nav-container">
              <div class="breadcrum-wrapper"><span><a href="/guide/" style="font-size: 14px; font-weight: 600; color: #000;">Docs</a></span></div>
            </div>
          </div>
        </div>
      </div>
    </div>

    <div class="main-container">
      <section id="content">
        <div class="content-wrapper">

          <section id="guide" lang="en">
            <div class="container">
              <div class="row">
                <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                  <!-- start body -->
                  <div class="page_header">
<strong>IMPORTANT</strong>: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
<a href="../current/index.html">current release documentation</a>.
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="xpack-alerting.html">Alerting on cluster and index events</a></span>
»
<span class="breadcrumb-link"><a href="example-watches.html">Example watches</a></span>
»
<span class="breadcrumb-node">Watching event data</span>
</div>
<div class="navheader">
<span class="prev">
<a href="watch-cluster-status.html">« Watching the status of an Elasticsearch cluster</a>
</span>
<span class="next">
<a href="watcher-troubleshooting.html">Troubleshooting Watcher »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="watching-meetup-data"></a>Watching event data<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/watcher/example-watches/example-watch-meetupdata.asciidoc">edit</a><a class="xpack_tag" href="/subscriptions"></a>
</h2>
</div></div></div>
<p>If you are indexing event data, such as log messages, network traffic, or a web feed, you can create a watch to email notifications when certain events occur.
For example, if you index a feed of RSVPs for meetup events happening around the world, you can create a watch that alerts you to interesting events.</p>
<p>To index the meetup data, you can use <a href="/products/logstash" class="ulink" target="_top">Logstash</a> to ingest live data from the Meetup.com streaming API, <code class="literal">http://stream.meetup.com/2/rsvps</code>.</p>
<p>To ingest this data with Logstash:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<a href="/downloads/logstash" class="ulink" target="_top">Download Logstash</a> and unpack the
archive file.
</li>
<li class="listitem">
<p>Create a Logstash configuration file that uses the <a href="/guide/en/logstash/7.7/plugins-inputs-stdin.html" class="ulink" target="_top">Logstash standard input</a> and the <a href="/guide/en/logstash/7.7/plugins-outputs-stdout.html" class="ulink" target="_top">Logstash standard output</a> and save it in <code class="literal">logstash-{version}</code> directory as <code class="literal">livestream.conf</code>:</p>
<div class="pre_wrapper lang-ruby">
<pre class="programlisting prettyprint lang-ruby">input {
  stdin {
    codec =&gt; json <a id="CO538-1"></a><i class="conum" data-value="1"></i>
  }
}
filter {
  date {
    match =&gt; [ "event.time", "UNIX_MS" ]
    target =&gt; "event_time"
  }
}
output { <a id="CO538-2"></a><i class="conum" data-value="2"></i>
  stdout {
    codec =&gt; rubydebug
  }
  elasticsearch {
    hosts =&gt; "http://localhost:9200"
    user  =&gt; "elastic"
    password  =&gt; "x-pack-test-password"
  }
}</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO538-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>The meetup data stream is formatted in JSON.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO538-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>Index the meetup data into Elasticsearch.</p>
</td>
</tr>
</table>
</div>
</li>
<li class="listitem">
<p>To start indexing the meetup data, pipe the RSVP stream into Logstash and specify your <code class="literal">livestream.conf</code> configuration file.</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">curl http://stream.meetup.com/2/rsvps | bin/logstash -f livestream.conf</pre>
</div>
</li>
</ol>
</div>
<p>Now that you’re indexing the meetup RSVPs, you can set up a watch that lets you know about events you might be interested in. For example, let’s create a watch that runs every hour, looks for events that talk about about <em>Open Source</em>, and sends an email with information about the events.</p>
<p>To set up the watch:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>Specify how often you want to run the watch by adding a schedule trigger to the watch:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "trigger": {
    "schedule": {
      "interval": "1h"
    }
  },</pre>
</div>
</li>
<li class="listitem">
<p>Load data into the watch payload by creating an input that searches the meetup data for events that have <em>Open Source</em> as a topic. You can use aggregations to group the data by city, consolidate references to the same events, and sort the events by date.</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">"input": {
    "search": {
      "request": {
        "indices": [
          "logstash" <a id="CO539-1"></a><i class="conum" data-value="1"></i>
        ],
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-3h"
                    }
                  }
                },
                {
                  "match": {
                    "group.group_topics.topic_name": "Open Source" <a id="CO539-2"></a><i class="conum" data-value="2"></i>
                  }
                }
              ]
            }
          },
          "aggs": {
            "group_by_city": {
              "terms": {
                "field": "group.group_city.keyword", <a id="CO539-3"></a><i class="conum" data-value="3"></i>
                "size": 5
              },
              "aggs": {
                "group_by_event": {
                  "terms": {
                    "field": "event.event_url.keyword", <a id="CO539-4"></a><i class="conum" data-value="4"></i>
                    "size": 5
                  },
                  "aggs": {
                    "get_latest": {
                      "terms": {
                        "field": "@timestamp", <a id="CO539-5"></a><i class="conum" data-value="5"></i>
                        "size": 1,
                        "order": {
                          "_key": "desc"
                        }
                      },
                      "aggs": {
                        "group_by_event_name": {
                          "terms": {
                            "field": "event.event_name.keyword" <a id="CO539-6"></a><i class="conum" data-value="6"></i>
                          }
                        }
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  },</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO539-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p><code class="literal">logstash</code> is the default <a class="xref" href="indices-add-alias.html" title="Add index alias API">index alias</a> for the Logstash
indices containing the meetup data. By default, the Logstash
<a class="xref" href="index-lifecycle-management.html" title="ILM: Manage the index lifecycle">index lifecycle management (ILM)</a> policy rolls this alias to a
new index when the index size reaches 50GB or becomes 30 days old. For more
information, see
<a href="/guide/en/logstash/7.7/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-ilm" class="ulink" target="_top">ILM
defaults in Logstash</a>.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO539-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>Find all of the RSVPs with <code class="literal">Open Source</code> as a topic.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO539-3"><i class="conum" data-value="3"></i></a></p>
</td>
<td align="left" valign="top">
<p>Group the RSVPs by city.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO539-4"><i class="conum" data-value="4"></i></a></p>
</td>
<td align="left" valign="top">
<p>Consolidate multiple RSVPs for the same event.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO539-5"><i class="conum" data-value="5"></i></a></p>
</td>
<td align="left" valign="top">
<p>Sort the events so the latest events are listed first.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO539-6"><i class="conum" data-value="6"></i></a></p>
</td>
<td align="left" valign="top">
<p>Group the events by name.</p>
</td>
</tr>
</table>
</div>
</li>
<li class="listitem">
<p>To determine whether or not there are any Open Source events, add a compare condition that checks the watch payload to see if there were any search hits.</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}</pre>
</div>
</li>
<li class="listitem">
<p>To send an email when <em>Open Source</em> events are found, add an email action:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">"actions": {
    "email_me": {
      "throttle_period": "10m",
      "email": {
        "from": "&lt;from:email address&gt;",
        "to": "&lt;to:email address&gt;",
        "subject": "Open Source Events",
        "body": {
          "html": "Found events matching Open Source: &lt;ul&gt;{{#ctx.payload.aggregations.group_by_city.buckets}}&lt;          li&gt;{{key}} ({{doc_count}})&lt;ul&gt;{{#group_by_event.buckets}}
          &lt;li&gt;&lt;a href=\"{{key}}\"&gt;{{get_latest.buckets.0.group_by_event_name.buckets.0.key}}&lt;/a&gt;
          ({{doc_count}})&lt;/li&gt;{{/group_by_event.buckets}}&lt;/ul&gt;&lt;/li&gt;
          {{/ctx.payload.aggregations.group_by_city.buckets}}&lt;/ul&gt;"
        }
      }
    }
  }</pre>
</div>
</li>
</ol>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>To enable Watcher to send emails, you must configure an email account in <code class="literal">elasticsearch.yml</code>. For more information, see <a class="xref" href="actions-email.html#configuring-email" title="Configuring email accounts">Configuring email accounts</a>.</p>
</div>
</div>
<p>The complete watch looks like this:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">PUT _watcher/watch/meetup
{
  "trigger": {
    "schedule": {
      "interval": "1h"
    }
  },
  "input": {
    "search": {
      "request": {
        "indices": [
          "logstash"
        ],
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-3h"
                    }
                  }
                },
                {
                  "match": {
                    "group.group_topics.topic_name": "Open Source"
                  }
                }
              ]
            }
          },
          "aggs": {
            "group_by_city": {
              "terms": {
                "field": "group.group_city.keyword",
                "size": 5
              },
              "aggs": {
                "group_by_event": {
                  "terms": {
                    "field": "event.event_url.keyword",
                    "size": 5
                  },
                  "aggs": {
                    "get_latest": {
                      "terms": {
                        "field": "@timestamp",
                        "size": 1,
                        "order": {
                          "_key": "desc"
                        }
                      },
                      "aggs": {
                        "group_by_event_name": {
                          "terms": {
                            "field": "event.event_name.keyword"
                          }
                        }
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions": {  <a id="CO540-1"></a><i class="conum" data-value="1"></i>
    "email_me": {
      "throttle_period": "10m",
      "email": {
        "from": "username@example.org",  <a id="CO540-2"></a><i class="conum" data-value="2"></i>
        "to": "recipient@example.org",   <a id="CO540-3"></a><i class="conum" data-value="3"></i>
        "subject": "Open Source events",
        "body": {
          "html": "Found events matching Open Source: &lt;ul&gt;{{#ctx.payload.aggregations.group_by_city.buckets}}&lt;li&gt;{{key}} ({{doc_count}})&lt;ul&gt;{{#group_by_event.buckets}}&lt;li&gt;&lt;a href=\"{{key}}\"&gt;{{get_latest.buckets.0.group_by_event_name.buckets.0.key}}&lt;/a&gt; ({{doc_count}})&lt;/li&gt;{{/group_by_event.buckets}}&lt;/ul&gt;&lt;/li&gt;{{/ctx.payload.aggregations.group_by_city.buckets}}&lt;/ul&gt;"
         }
      }
    }
  }
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1297.console"></div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO540-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>The email body can include Mustache templates to reference data in the watch payload. By default,it will be <a class="xref" href="actions-email.html#email-html-sanitization" title="Configuring HTML sanitization options">sanitized</a> to block dangerous content.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO540-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>Replace the <code class="literal">from</code> address with the email address you configured in <code class="literal">elasticsearch.yml</code>.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO540-3"><i class="conum" data-value="3"></i></a></p>
</td>
<td align="left" valign="top">
<p>Replace the <code class="literal">to</code> address with your email address to receive notifications.</p>
</td>
</tr>
</table>
</div>
<p>Now that you’ve created your watch, you can use the
<a href="/guide/en/elasticsearch/reference/7.7/watcher-api-execute-watch.html" class="ulink" target="_top"><code class="literal">_execute</code> API</a> to run it without waiting for the schedule to trigger execution:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST _watcher/watch/meetup/_execute</pre>
</div>
<div class="console_widget" data-snippet="snippets/1298.console"></div>
</div>
<div class="navfooter">
<span class="prev">
<a href="watch-cluster-status.html">« Watching the status of an Elasticsearch cluster</a>
</span>
<span class="next">
<a href="watcher-troubleshooting.html">Troubleshooting Watcher »</a>
</span>
</div>
</div>

                  <!-- end body -->
                </div>
                <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                  <div id="rtpcontainer" style="display: block;">
                    <div class="mktg-promo">
                      <h3>Most Popular</h3>
                      <ul class="icons">
                        <li class="icon-elasticsearch-white"><a href="https://www.elastic.co/webinars/getting-started-elasticsearch?baymax=default&amp;elektra=docs&amp;storm=top-video">Get Started with Elasticsearch: Video</a></li>
                        <li class="icon-kibana-white"><a href="https://www.elastic.co/webinars/getting-started-kibana?baymax=default&amp;elektra=docs&amp;storm=top-video">Intro to Kibana: Video</a></li>
                        <li class="icon-logstash-white"><a href="https://www.elastic.co/webinars/introduction-elk-stack?baymax=default&amp;elektra=docs&amp;storm=top-video">ELK for Logs &amp; Metrics: Video</a></li>
                      </ul>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </section>

        </div>


<div id="elastic-footer"></div>
<script src="https://www.elastic.co/elastic-footer.js"></script>
<!-- Footer Section end-->

      </section>
    </div>

<script src="/guide/static/jquery.js"></script>
<script type="text/javascript" src="/guide/static/docs.js"></script>
<script type="text/javascript">
  window.initial_state = {}</script>
  </body>
</html>
